Self-Sovereign Identity Project
================================================================================

# Key Requirements

1. Implement a multiplatform mobile app using Apache Cordova or similar that
creates a business card for use as a digital identity controlled by the mobile
owner, called a self-sovereign identity, or SSI.
2. Store a public/private key-pair for encryption purposes, such as RSA, when
communicating with others.
3. Use existing technology for transmission of messages by either email or text
messages.
4. Specify a simple, virtual business card schema with typical contact
information laid out like a typical physical business card.

## Developmental Requirements

1. Use one of the following multiplatform frameworks:
  * [Apache Cordova](https://cordova.apache.org/)
  * [NativeScript](https://www.nativescript.org/)
  * For advanced developers, write nigh on everything in C and use the [NDK](https://developer.android.com/ndk/)
  for Android and take advantage of iOS using ObjectiveC, a superset of C.

# Why

1. Centralized identities offer a single attack surface for identity thieves
to perform large scale breaches of identity theft.
2. SSIs use encryption instead of sensitive, private information.
3. Self-sovereign identity solutions elevate identity assurances for
collaborating owners and service providers.
4. SSIs decrease reliance on remote access passwords to access web services.

# Stories

1. Users create a digital identity in the form of a business card to exchange
with others.
2. Users add a photo or a logo to their virtual business card.
3. Users send/receive their ID and messages via existing technologies.
4. Users follow the typical procedure of signing their message with their own
private key and encrypting it with the receiver's public key.

# Nice-to-haves

* Extend support for [secure-scuttlebutt](https://github.com/ssbc/secure-scuttlebutt)
* Extend support for [blockchainMe](https://github.com/kiarafrobles/blockchainMe)
* Extend support for [uPort](https://www.uport.me/)
* Use other existing technologies, such as QR codes, NFC, bluetooth, or some
other standardized protocol or service.
* Allow for multiple identities.
* Add a duress mode to spoof the process or send alerts.
* Add other digital identity schema, such as an electronic driver license or
virtual student body card.
* Implement a web service that can login a user with an SSI without the need for
a password.
* Specify a revocation process for expiring an identity.

# Suggestions

* Encapsulate the encryption process into its own module.
* Start with smaller RSA key pairs.
* If using Bluetooth, bootstrap the process with NFC.

# FAQ

## What is the difference between a digital identity and a self-sovereign identity?
Data structures that specify identifiers, names, or attributes are digital
identities. When the user of the digitial identity strongly controls the data, 
instead of a service provider, the digitial identity is self-soveriegn.

## How does this SSI app differ from existing popular apps such as Whatsapp or Signal?
SSI has different goals from Whatsapp/Signal.  

### Configuration

SSI enables owners to configure and control multiple digital identities that can
specify virtually any combination of identifying information of the owner.  

Whatsapp/Signal provide a single bare-boned user profile specifying the name,
phone number, owner’s photo, etc.  

### Presenting Identification

SSI owners decide which of several digital identities to present to relying
parties which enables them to control what identifying information to reveal.  

Whatsapp/Signal do not reveal any identifying information the users did not
already know before installing the app. For example, Alice adds her friend Bobby,
but they already knew each other's name, cell and photo.  

### Authentication

SSI plans to integrate authentication mechanisms so owners can strongly
bind to their digital identities. A relying party can demand the remote owner
re-authenticated to ensure they currently control their device confirming that
it has nott been stolen (somebody could steal your Android and scam me).  

Whatsapp/Signal can integrate with other authentication services, but only by
further centralization in single sign-on or by multifactor authentication.  

### Trust and Attestation

SSI also plans to give collaborating owners the ability to proof, attest and
issue digital identities to each other to elevate identity assurances among peers.
Alice might want to communitcate with Charlie, a stranger. But because Bobby is
friends with both Alice and Charlie, Alice can use Bobby's attestations to feel
secure that Charlie has presented a truthful identity.  

Whatsapp/Signal do not have this as a goal, though users can manually do this
with simple communication. Note, LinkedIn has similar features to SSI for users
to attent to the skills of others in their network.  


# References

* [Are you affected by the recent Target hack?](https://www.consumer.ftc.gov/blog/2013/12/are-you-affected-recent-target-hack)
* [The Equifax Data Breach: What to Do](https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do)
* [WeChat Security Concerns](https://en.wikipedia.org/wiki/WeChat#Security_concerns)
* [The Path to Self-Sovereign Identity](https://www.coindesk.com/path-self-sovereign-identity/)
* [Rebranding the Web of Trust](https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/raw/master/final-documents/rebranding-web-of-trust.pdf)
